CVE-2010-3301 – Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-3301
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. La llamada del sistema IA32 para la emulación de binarios de 32 bits en arch/x86/ia32/ia32entry.S en el kernel Linux anterior a v2.6.36-rc4-git2 en la plataforma x86_64 no vuelve a cero el registro% eax después de la ruta de entrada de 32-bits cuando ptrace es utilizado, lo cual permite a usuarios locales conseguir privilegios mediante un acceso out-of-bounds a la tabla de llamadas al sistema usando el registro rax%. NOTA: esta vulnerabilidad ya existía en CVE-2007-4573 • https://www.exploit-db.com/exploits/15023 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=36d001c70d8a0144ac1d038f6876c484849a74de http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=eefdca043e8391dcd719711716492063030b55ac http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://secunia.com/advisories/42758 http://sota.gen.nz/compat2 http: • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-269: Improper Privilege Management •
CVE-2010-2955 – kernel: wireless: fix 64K kernel heap content leak via ioctl
https://notcve.org/view.php?id=CVE-2010-2955
The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. La función cfg80211_wext_giwessid en net/wireless/wext-compat.c en el kernel de Linux anterior a v2.6.36-rc3-next-20100831 no inicializa adecuadamente determinadas estructuras de miembros, lo que permite a usuarios locales aprovechar un error off-by-one en la función net/wireless/wext-core.c y obtener información potencialmente sensible desde la memoria dinámica (heap) del kernel, a través de vectores que involucran una llamada SIOCGIWESSID ioctl que especifica un gran tamaño de búfer. • http://forums.grsecurity.net/viewtopic.php?f=3&t=2290 http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git%3Ba=commit%3Bh=42da2f948d949efd0111309f5827bf0298bcc9a4 http://grsecurity.net/~spender/wireless-infoleak-fix2.patch http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://lkml.org/lkml/2010/8/27/413 http://lkml.org/lkml/2010/8/30/127 http://lkml.org/lkml • CWE-193: Off-by-one Error •
CVE-2010-2959 – Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-2959
Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. Desbordamiento de enterno en net/can/bcm en la implementación Controller Area Network (CAN) del kernel de Linux anterior a v2.6.27.53, v2.6.32.x anterior a v2.6.32.21, v2.6.34.x anterior a v2.6.34.6, y v2.6.35.x anterior a v2.6.35.4, permite a atacantes remotos ejecutar código de su elección o provocar una denegación de servicio (caída de sistema) a través de tráfico CAN manipulado. • https://www.exploit-db.com/exploits/14814 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=5b75c4973ce779520b9d1e392483207d6f842cde http://jon.oberheide.org/files/i-can-haz-modharden.c http://lists.fedoraproject.org/pipermail/package-announce/2010-September/046947.html http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2011& • CWE-190: Integer Overflow or Wraparound •
CVE-2010-2803 – kernel: drm ioctls infoleak
https://notcve.org/view.php?id=CVE-2010-2803
The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. La función drm_ioctl en drivers/gpu/drm/drm_drv.c en el subsistema Direct Rendering Manager (DRM) en el kernel de Linux anterior a v2.6.27.53, v2.6.32.x anterior a v2.6.32.21, v2.6.34.x anterior a v2.6.34.6, y v2.6.35.x anterior a v2.6.35.4, permite a usuarios locales obtener información potencialmente sensible desde la memoria del kernel mediante una petición de reserva de memoria de una cantidad muy elevada. • http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git%3Ba=commit%3Bh=1b2f1489633888d4a06028315dc19d65768a1c05 http://git.kernel.org/?p=linux/kernel/git/airlied/drm-2.6.git%3Ba=commit%3Bh=b9f0aee83335db1f3915f4e42a5e21b351740afd http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9f0aee83335db1f3915f4e42a5e21b351740afd http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00005.html http:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •